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ABSTRACT 


The Institute of Electrieal and Electronies Engineers’ new 802.16 standard is set 
to revolutionize the delivery of Broadband Wireless Aceess (BWA), much as the IEEE 
802.11 “Wi-Ei” standard transformed wireless access to Eocal Area Networks. The 
standard describes a set of Medium Access Controls (MAC) and Air Interfaces that cover 
a broad range of broadcast frequencies and applications. As a result, manufacturers are 
developing IEEE 802.16 compliant equipment for high speed point-to-point circuits and 
point-to-multipoint circuits dubbed Wireless Metropolitan Area Networks (WMANs). 
These networks can span several miles and contain hundreds of subscribers. Shortly after 
IEEE 802.11 “Wi-Ei” systems became widespread, several serious Denial of Service 
(DoS) vulnerabilities inherent to the standard were discovered. This thesis examines the 
MAC layer of the 802.16 standard to determine whether these types of denial of service 
vulnerabilities are also present in the new standard. Also examined are vulnerabilities 
that may be unique to the 802.16 standard. 
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I. INTRODUCTION 


A. BACKGROUND 

In homes and offices around the globe, Wireless Local Area Networks (WLANs) 
have become commonplace. They have proven enormously popular, with millions of 
wireless cards and routers with integrated access points sold to date. The reasons for this 
popularity are manifold. These networks are truly routable, working seamlessly with 
wired LAN equipment. They are also capable of operating at data rates close to those of 
their wired equivalents. Finally, most WLAN equipment is completely vendor neutral 
and quite inexpensive. 

These advantages are made possible by the fact that virtually all WLAN 
deployments are built around standards-based equipment, rather than proprietary systems. 
When the Institute of Electrical and Electronics Engineers (IEEE) released its IEEE 
802.11 standard for Wireless LAN Medium Access Control (MAC) and Physical Layer 
(PHY) Specifications in 1999 it paved the way for the mass production of vendor 
interoperable equipment. To guarantee that each new piece of wireless equipment will 
work with the rest of the network, strict adherence to the IEEE 802.11 standard was 
enforced by third party interoperability testing. This testing and subsequent “Wi-Ei” 
branding was conducted by an international industry association known as the Wi-Ei 
Alliance. Ereedom to choose the network equipment creates cost competition among 
manufacturers, which leads to downward spiraling prices and exponentially rising sales. 
To date, the Wi-Ei Alliance has certified over 1250 products from over 200 vendors [1]. 

Given the enormous demand for broadband wireless access, and the commercial 
success of standards based equipment, extending the reach of wireless networks becomes 
a logical next step, and the Institute of Electrical and Electronics Engineers released its 
802.16 standard in 2001 [2]. Where the better known IEEE 802.11 Standard forms the 
basis for wireless Eocal Area Networks with a handful of users inside a few hundred 
meter radius, the IEEE 802.16 standard enables much larger networks. Dubbed 
“Metropolitan Area Networks” (MANs), these new networks are meant to provide 
service to hundreds, or even thousands of users across a city-sized network. The IEEE 
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802.16 standard defines the air interfaee for a fixed, broadband wireless network with 
operating frequeneies from 2 to 66 GHz, along with a variety of physical layer 
specifications. The standard encompasses point-to-point (FTP) and point-to-multipoint 
(PMP) modes as well as mesh networks. 

Formally known as “IEEE Std. 802.16-2004 Standard for Eocal and Metropolitan 
Area Networks Part 16: Air Interface for Fixed Broadband Wireless Access Systems,” 
the standard was ratified on 24 June, 2004 [3]. This standard is a revision of the earliest 
version of the standard 802.16-2001, and was created by integrating extensions 802.16a- 
2003 and 802.16c-2002 into the basic standard. The earliest standard had evolved from 
its basic specification for operating frequencies in the 10-66 GHz range to include mesh 
and non line-of-sight extensions. These extensions included new physical layer 
specifications which add coverage in the 2-11 GHz range. Importantly, the standard 
incorporates differential Quality of Service (QoS) at its core, making it ideal for jitter- 
intolerant services such as voice and streaming video. The QoS parameters built into the 
standard include minimum traffic rate, tolerated jitter and maximum latency. There is 
also built in support for vendor specified QoS parameters. Networks and equipment have 
been planned to service a wide variety of scenarios, from commercial wireless backhaul 
for cell-phone companies to residential broadband internet. 

Equipment built under the 802.16 standard is collectively marketed under the 
WiMAX banner. Analogous to the Wi-Fi Alliance, the WiMAX Forum ensures 
compliance with the 802.16 standard. WiMAX Forum members include Intel 
Corporation, Motorola and AT&T Research among many others. With heavy consumer 
and commercial demand, broad industry support and a well developed standard, sales of 
802.16 compliant equipment are expected to soar in the coming years [4]. 


B. THE DENIAL OF SERVICE CONCEPT 

While the phrase “denial of service” is fairly new, the concept is not. As far back 
as the American Civil War, denial of service attacks plagued the communications 
networks of North and South alike. In that era, the targets were telegraph lines, with 
attacks consisting of raids to physically cut the wires that crossed the countryside. In one 
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area, Southern guerilla attaeks against the telegraph lines were so problematic, that 
General U. S. Grant resorted to a twenty mile length of underwater cable - no mean feat 
in 1864. Today, however, we have a vastly different view of denial of service attacks. 
No longer seen only in warfare, denial of service attacks have been conducted by 
everyone from teenagers to terrorists in recent years. 

Denial of Service attacks may employ one of several attack paradigms. Military 
jamming denial of services often simply flood the airwaves with unintelligible noise 
signals. Like military jamming, many of the denial of service attacks carried out across 
the Internet are also brute force attacks that flood the propagation medium with noise. 
However, there are several important features of these attacks that make them very unlike 
military jamming. Rather than injecting energy from outside the network, the Internet 
denial of service attack works by using the network against itself Like a lever, the 
exploited network multiplies the force applied by the attacker by abusing the very 
mechanisms that make the network possible. With just a relative few requests, attackers 
are able to cause a flood of millions of information requests to be directed against the 
target computers. The victim is overwhelmed by the sheer volume of traffic, with either 
its network bandwidth or its computing power exhausted by the flood of information. 

These brute force attacks work by exhausting a limited resource, whether it is 
radio frequency spectrum, network bandwidth or computational capacity. There are, 
however, other methods of attack that can be very effective while using just a tiny 
fraction of the available data channel. These attacks work by exploiting the assumption 
that every member of a network will always follow the rules of the network. A single 
misbehaving node can wreak havoc on a network, whether its behavior is malicious or 
unintentional. In early Ethernet applications, a single interface card could unintentionally 
flood the network with data packets. The error control method employed by the network 
only exacerbated the problem. Often, the only real solution was to search for the rogue 
node and remove it from the network. Attacks based on exploiting network transport and 
control mechanisms have been seen in a variety of settings, including the wired Internet 
and wireless networks. 
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c. 


THESIS OBJECTIVES AND ORGANIZATION 


Given the sueeess of the IEEE 802.11 standard, and the industry support for 
WiMAX, there is a signifieant probability that IEEE 802.16 eompliant networks will see 
widespread use in eommereial and military applieations. 802.16 eompliant equipment 
has only reeently been deployed in eommereial settings; however there are already efforts 
underway to adapt these systems to US military needs [5], [6]. This presents a signifieant 
new opportunity in the eontext of Offensive Information Operations(OIO), as well as 
potential pitfalls for Defensive Information Operations (DIO). Of the entire speetrum of 
threats and vulnerabilities, this thesis will focus exclusively on denial of service attacks at 
the medium access control level, as opposed to physical layer brute force jamming or 
higher layer packet floods. The tactical networks that may soon be deployed using 
802.16 compliant equipment will need very high availability, even in the face of 
adversaries actively seeking to deny and disrupt network services. By understanding the 
denial of service vulnerabilities inherent to the MAC from the outset, procurement and 
deployment plans may be shaped to minimize the threat to friendly systems, while 
allowing time to develop tools and techniques for Offensive Information Operations. 
Malicious exploitation of the communication protocol has been shown to provide a 
highly effective denial of service attack against IEEE 802.11 based networks. These 
types of attacks can be particularly difficult to counter, as they require only sporadic, low 
power transmissions to implement. Also, they require little modification to commercially 
available systems and virtually no specialized equipment to implement. 

There are several serious flaws inherent to the IEEE 802.11 standard that create 
Denial of Service (DoS) vulnerabilities. This thesis examines the 802.16 standard to 
determine whether these types of denial of service vulnerabilities are also present in the 
new standard. Also examined are vulnerabilities that may be unique to the 802.16 
standard. 

Chapter II is an overview of the basic IEEE 802.16 standard and its various 
extensions, with emphasis on the Medium Access Eayer (MAC) and Privacy Sublayer, 
which are common to all of the point-to-multipoint (PMP) portions of the standard. 
These layers are crucial to understanding the types of denial of service attacks to which 

the standard is vulnerable. To help understand deployment scenarios and how IEEE 
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802.16 links are integrated into the overall network arehitecture, real-world example 
networks are presented to form the basis for attaek seenarios. 

Chapter 111 is a comparison of IEEE standards 802.11 and 802.16, showing how 
the newer standard handles the DoS attacks that are effective against 802.11. 
Exploitation methodologies and scenarios are also presented in this chapter. Also 
discussed is the role that IEEE 802.16’s security measures play in defending against these 
attacks. 

Chapter IV is a discussion of potential denial of service vulnerabilities that are 
new or unique to the IEEE 802.16 standard. This chapter points out ways in which 
certain MAC layer messages may be abused to create Denial of Service attacks that target 
the MAC layer. Difficulties that will be faced by an attacker seeking to generate and 
transmit spoofed messages are addressed. Also presented are general conclusions 
concerning the mechanisms that make these abuses possible. 

Chapter V contains conclusions and recommendations for further research. This 
chapter also includes a list of recommended changes to the standard, both general and 
specific. 
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II. OVERVIEW OF IEEE 802.16 STANDARD 


A brief overview of the IEEE 802.16 standard is provided to form the basis for 
further diseussion. The focus will be on the portions of the standard that are most 
pertinent to this work. This chapter is based on the detailed standard specification, IEEE 
802.16-2001 [2] as well as the extensions to the standard, IEEE 802.16a-2003 [7] and 
IEEE 802.16c-2002 [8]. The latest version of the standard, IEEE 802.16-2004 [3] was 
not available at the time of this writing. Because IEEE 802.16-2004 [3] is an integration 
of 802.16-2001, IEEE 802.16a-2003 and IEEE 802.16c-2002, rather than a re-write, this 
research maintains a high degree of fidelity to the newest standard. Also in this chapter is 
a description of a real-world IEEE 802.16 network which will serve as the nominal attack 
target. 


A. INTRODUCTION TO THE IEEE 802.16 ARCHITECTURE 


The IEEE 802.16 standard specifies the Physical (PHY) Eayer and Medium 
Access Control (MAC) layer for broadband wireless access (BWA) within a 
Metropolitan Area Network (MAN). The IEEE 802.16 fills the gap between the IEEE 
802.2 Eogical Eink Eayer and the air interface. Along with the bridging capabilities 
specified in IEEE 802.1, these standards and their higher layer access mechanisms can be 
used to create fully routable networks. Eigure 1 illustrates 802.16’s place in the hierarchy 
of IEEE 802 standards. 
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While IEEE 802.16 has only one Medium Aceess Control Eayer speeifieation, it 
has undergone a series of revisions. These revisions added several different PHY layer 
speeifications as new speetrum alloeations, both licensed and unlicensed, became 
available. In order to prevent confusion, a brief synopsis of the various extensions and 
frequency ranges of the standard are presented below. The MAC will be discussed in 
greater detail later in this chapter. 

1. IEEE 802,16-2001 

The original IEEE 802.16-2001 [2] specification defined a set of MAC and PHY 
layer standards intended to provide fixed, broadband wireless access in a point-to-point 
or point-to-multipoint (PMP) setting. With single carrier modulation in the 10-66 GHz 
range, 802.16-2001 provided support for both Time Division Duplexing (TDD) and 
Erequency Division Duplexing (EDD). Assembled into well organized sublayers, IEEE 
802.16-2001 defined the basic MAC that is employed over all of the followon variations 
of the standard. Where IEEE 802.11 relies on Carrier Sense Multiple Access with 
Collision Avoidance (CSMA/CA) to determine when nodes in the network are allowed to 
transmit, the IEEE 802.16-2001 MAC uses an entirely different paradigm to control 
transmissions. Transmission times, durations and modulations are assigned by a Base 
Station (BS) and shared with all nodes in the network in the form of broadcast Uplink and 
Downli nk Maps. By scheduling transmission times, the vexing “hidden node” problem is 
avoided. Subscribers need only hear the base station, rather than every other node in the 
local wireless network. Also, the scheduling algorithm is stable when subjected to 
overload or oversubscription conditions. 

Subscriber Stations (SS) are able to negotiate for bandwidth allocation on a burst- 
to-burst basis, providing scheduling flexibility. The available modulation schemes 
include QPSK, QAM-16 and QAM-64. These can vary from frame to frame and from SS 
to SS, depending on the robustness of the connection. The ability to change modulation 
and forward error correction schemes to the current propagation conditions allows the 
network to quickly adapt to weather conditions, such as rain fades. Initial transmission 
parameters are negotiated through an interactive process called Initial Ranging. This 
process, in which the BS provides power, modulation and timing feedback to the SS is 
also conducted on an ongoing basis. 
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Duplexing of uplink and downlink channels is accomplished using either time 
division duplexing (TDD) or frequency division duplexing (FDD). 

Importantly, IEEE 802.16-2001 incorporates features that provide differential 
Quality of Service (QoS) down to the PHY layer. QoS support is built around the 
concept of service flows that are identified, appropriately enough, by a Service Elow ID. 
Service flows are characterized by their QoS Parameters, which can be used to specify 
parameters such as maximum latency and tolerated jitter. Service flows are 
unidirectional, and may originate at either BS or SS. Higher layer mechanisms, such as 
Diff-Serv, must be employed in conjunction with IEEE 802.16’s service flows to ensure 
end-to-end QoS. 

The IEEE 802.16 working group recommendations included several security 
features which, at this point in the standard’s development cycle, were largely optional. 
At the core of IEEE 802.16 security is the privacy sublayer. The stated goal of the 
privacy sublayer is to provide confidentiality across the wireless links of the network. 
This is accomplished by encrypting the data sent between the BS and SS. To prevent 
theft of service, SS may be authenticated using X.509 digital certificates which are 
hardwired into every SS. Included in the certificate is the SS’s public key and MAC 
address. Details of the privacy sublayer will be discussed later in this chapter. 

2. IEEE 802,16a-2003 

IEEE 802.16a was a major revision to the basic standard, ratified by the IEEE 
Standards Board in January 2003 [7]. Most importantly, the IEEE 802.16a extension 
added support in the 2 - 11 GHz Eicensed bands, which opens up many potential markets 
for the technology. Non Eine of Sight (NEOS) operation becomes possible when 
operating in the 2-11 GHz range, extending the geographic reach of the network. 
Multipath propagation can also become an issue. IEEE 802.16a includes both PHY 
specification and enhancements to the MAC layer to deal with multipath propagation and 
interference mitigation. Eeatures were added to allow advanced power management 
techniques and adaptive antenna arrays. Also, the option of employing Orthogonal 
Erequency Division Multiplexing (OEDM) was added as an alternative to single carrier 
modulation. To provide a mechanism for interference mitigation when multiple networks 
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are present, IEEE 802.16a added Orthogonal Erequeney Division Multiple Aceess 
(OEDMA) modulation to the range of choiees available in the 2-11 GHz range. 

Seeurity is improved, with many of the privaey layer features now required 
elements, rather than optional. Privaey features are used to authentieate the sender of 
eertain MAC messages. 

IEEE 802.16a also adds optional support for Mesh networks, where traffie ean be 
routed from subseriber station to subseriber station. This is a ehange from the PMP 
mode, where traffic is only allowed between BS and SS. Appropriate additions to the 
MAC layer specification were made to allow for scheduling the transmissions of SS that 
are part of the Mesh, but not visible to the BS. 

The naming convention employed in the standard is shown in Table 1. While 
some might think the WirelessHUMAN designation refers to a Personal Area Network, it 
is simply a transmission frequency specification for High-speed Unlicensed Metropolitan 
Area Networks. 

3. IEEE 802,16c-2002 


In December 2002, the IEEE Standards Board approved amendment IEEE 
802.16c [8]. The amendment corrected some errors and inconsistencies in the basic 
standard and added detailed system profdes for 10 - 66 GHz. 


Designation 

Applicability 

Duplexing 

Notes 

WirelessMAN-SC 

10-66 GHz 

TDD, 

Single Carrier 



FDD 


WirelessMAN-SCa 

2-11 GHz Licensed Bands 

TDD, 

Single Carrier, extended to NLOS frequencies 



FDD 


WirelessMAN-ODFM 

2-11 GHz Licensed Bands 

TDD, 

OFDM for NLOS operation 



FDD 


WirelessMAN- 

2-11 GHz Licensed Bands 

TDD, 

ODFM broken into subgroups to provide multiple access in a 

ODFMA 


FDD 

single frequency band 

WirelessHUMAN 

2-11 GHz License Exempt 

TDD 

May be SC, ODFM or ODFMA. Must include Dynamic 


Bands 


Frequency Selection 


Table 1. Air Interface Nomenclature and Description. (After [7]). 


10 





























4. 


IEEE 802.16-2004 


IEEE 802.16-2001, 802.16a and 802.16c were integrated into IEEE 802.16-2004 
which was ratified on 24 June 2004 and was published in September 2004. The revision 
was originally developed as a set of system speeifications titled IEEE 802.16-REVd, but 
was eomprehensive enough to classify as a complete reissue of the basie IEEE 802.16 
standard. The document is over 900 pages in length and brings the family of standards 
into a single doeument. This is the version of the standard which will be used for 
WiMAX certification. 

5. IEEE 802.16e and Beyond 

The IEEE 802.16 Working Group is quite energetie, with eommittees aetively 
working on extensions to add mobility, conformance standards and test methodologies. 
The IEEE 802.16e extension, whieh adds support for mobile subseriber stations, is 
expeeted to be ratified during 2005. IEEE 802.16e has undergone several draft revisions. 
Also in the works are the IEEE 802.16f and g amendments dealing with the Network 
Management Plane. 


B. PROTOCOL LAYERS WITHIN IEEE 802.16 

The IEEE 802.16 standard is constructed in the form of a protocol stack with well 
defined interfaees. As shown in Eigure 2, the MAC consists of three sublayers: the 
Service Speeific Convergenee Sublayer, the MAC Common Part Sublayer and the 
Privacy Sublayer. When the IEEE standard refers to the MAC, it is generally discussing 
the MAC Common Part Sublayer, rather than the integrated stack of sublayers. 

The Service Specific Convergence Sublayer (CS) maps higher level data serviees 
to MAC layer service flows and conneetions. The CS is provided in two variations to 
allow integration with both ATM and packet based networks. The paeket CS supports 
Ethernet, point-to-point protoeol (PPP) and both IPv4 and IPv6 internet protocols. 

The MAC Common Part Sublayer (MAC CPS) is the nueleus of the standard. In the 

MAC CPS are found the rules and mechanisms for system aeeess, bandwidth alloeation 

and connection management. Unlike IEEE 802.11, IEEE 802.16 uses a stateful MAC 

layer. As diseussed in later ehapters, this has important seeurity ramifieations. Denial of 
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Service attacks at this layer can now be seen as attempts to interrupt the operation of a 
state machine. The MAC CPS communicates with the Convergence Sublayer via the 
MAC Service Access Point (MAC SAP). Communication takes place using only four 
basic types of primitive, which allow for the creation, modification, and deletion of 
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Figure 2. Protocol Layering in IEEE 802.16. (Erom [2]). 


connections and the transport of data over the connection. QoS decisions for 
transmission scheduling are also performed within the MAC CPS. 

The Privacy Sublayer lies between the MAC CPS and the PHY layer. This 
sublayer provides for encryption and decryption of data traveling to and from the PHY 
layer, and is also used for authentication and secure key exchange. The Privacy Sublayer 
currently employs 56-bit Data Encryption Standard (DES) encryption for traffic and 3- 
DES encryption for key exchanges. However, explicit in the privacy layer specification 
is the ability to support other cryptographic suites in the future. 
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Operating in similar fashion to the MAC SAP is the PHY SAP, whieh passes data 
to and from the PHY. Again there are a limited number of primitives, with only three 
basie types used. 

In keeping with the broad range of frequeneies supported, the PHY layer eontains 
several forms of modulation and multiplexing, as previously discussed. The tremendous 
flexibility of the PHY provides engineers the ability to tailor their systems to the real 
world requirements of cost, capacity and spectrum availability. The PHY also allows 
designers to choose among various forward error correction (FEC) schemes, including 
Reed-Solomon and Block Turbo Codes. 

Of note, the modular nature of the standard as a whole allows entirely new PHY 
specifications to be added in the future. New modulation schemes or frequency ranges 
could be added with only minimal change to the rest of the standard. For example, 
frequency hopping or direct sequence spread spectrum modulation can be added, just as 
the IEEE added ODFM support with the 802.16a extension. 


C. THE MEDIUM ACCESS CONTROL COMMON PART SUBLAYER 

In keeping with usage within the IEEE 802.16 standard [2], from this point 
forward the MAC CPS will be referred to as simply “the MAC.” 

1. MAC Layer Overview 

The Medium Access Control Common Part Sublayer (from here forward referred 
to as the MAC Layer) is the core of the IEEE 802.16 standard. Built to support a point- 
to-multipoint topology, its purpose is to provide for efficient sharing of the physical 
medium. The Base Station is the central node of the wireless network and acts as the 
bridge to the wired network. It is analogous to the Access Points (APs) seen in IEEE 
802.11 networks. However, the two standards use entirely different methods to share the 
airwaves. Where IEEE 802.11 uses carrier sense multiple access to avoid transmission 
collisions, IEEE 802.16 uses scheduled transmissions to ensure collision-free access. The 
Base Station performs all scheduling functions and uses Time Division Multiplexing on 
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the downlink to SS. In turn, subscribers share the uplink using Time Division Multiple 
Access (TDMA). Uplink and downlink schedules are transmitted every frame using UL- 
MAP and DL-MAP messages. 

Since the standard is designed to build outdoor networks with nodes miles apart, it 
must be able to adapt its transmissions to compensate for difficult atmospheric 
conditions. In fact, the MAC Layer allows for dynamically variable modulation and 
forward error correction (FEC) codes. Thus, on a frame to frame basis the BS and SS are 
able to optimize their transmission burst profile, trading off bandwidth with robustness. 
The BS always begins its transmissions with the most robust modulation and FEC 
scheme available to ensure that all SS are able to receive the uplink and downlink maps. 
On a schedule published in the DE-MAP, the BS then transitions to progressively higher 
capacity bursts. Similarly, each SS will transmit its uplink using the exact time and burst 
profde scheduled by the BS. 

To accommodate traffic bursts, SS are able to ask for longer uplink windows 
which allow them to pass more traffic. Exchanging Dynamic Service Change Requests 
and Grants, the BS and SS are able to negotiate bandwidth allocations according to their 
respective needs and capabilities. There are several mechanisms that can be used to tailor 
the service level received by an SS, including unsolicited bandwidth grants and polled 
opportunities. 

Eike TCP, the IEEE 802.16 MAC Eayer is designed around establishing and 
maintaining a series of logical connections. Just as a single computer can have different 
TCP connections open for Web Browsing, Telnet and mail services, a single SS may 
have different connections open for radio link control, network management and user 
data transport. Unlike TCP connections however, each of these MAC Eayer connections 
can have radically different parameters for security, bandwidth and priority. 

Known by unique Connection Identifiers (CIDs), connections are assigned and 
managed by the BS. During the initial network entry, an SS is assigned three CIDs 
representing Basic, Primary Management and Secondary Management connections. The 
Basic connection is used to send brief, delay-intolerant messages for control of the radio 
link. The Primary Management connection is used to transport longer, less urgent 
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messages sueh as registration requests and privaey key management messages. There are 
also Broadcast CIDs that address every SS in the local radio network. These are used to 
transmit the uplink and downlink transmission schedules, for example. Once the SS is 
fully registered with the network, it is assigned unidirectional service flows which carry 
user traffic. Note that a singe CID can carry traffic for many different higher-layer 
sessions. 


The IEEE 802.16 MAC Eayer is stateful. In fact, the MAC layer can be viewed 
as a series of state machines, each determining the operation of individual processes 
within the MAC structure. There are state machines for initial network entry, 
authentication and key management, among others. This becomes an important concept 
when examining the inner workings of the various operational mechanisms of the MAC 
Eayer. 

2, Frame Format 

IEEE 802.16 supports two types of transmission duplexing: Time Division 
Duplexing and Erequency Division Duplexing. An illustrative example of a TDD Erame 
is shown in Eigure 3. In the TDD case, the BS transmits the entire downlink, starting 
with the DE-MAP and UE-MAP messages which describe the timing and contents of the 
downlink and uplink respectively. In the downlink direction, the schedule informs SS 
when the BS is planning on shifting transmission burst schemes during the downlink. In 
the uplink direction, the schedule informs each individual SS when it will be allowed 
exclusive use of the transmission spectrum. 
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Eigure 3. Example of a TDD frame. (Synthesized from [2] and [7]). 
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In the FDD case, transmissions are also scheduled using DL-MAP and UL-MAP 
messages. However, uplink and downlink transmissions occur simultaneously on 
different frequencies. 

3. Format of MAC Messages 

Since the format and contents of MAC Management messages is central to this 
thesis, these will be discussed in some detail. Messages exchanged between the BS MAC 
and the SS MAC are referred to as Protocol Data Units (PDUs), and are sent in the form 
shown in Figure 4. There are two types of MAC header that are used. The first is the 
Generic MAC header, which is used for the transfer of nearly all of the standard MAC 
Management messages. The other format header is the Bandwidth Request Header, 
which is used in standalone fashion without a payload. The cyclic redundancy check is 
entirely optional for MAC management messages and is only used if specifically required 
by the QoS parameters of the SS. 




</) 
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Generic MAC Header 

Payload (optional) 

CRC (optional) 
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Figure 4. The Format of MAC Management Protocol Data Units. (From [2]) 


The format of the generic MAC header is shown in Figure 5. The Header Type 
(HT bit) is always set to zero for generic headers, and is set to one for the bandwidth 
request header. The other fields are as shown in Table 2. Of particular note are the Type 
and EKS fields. The Type field shows which management message is stored in the 
payload. The EKS field is used to ensure that the BS and SS are synchronized in their 
use of Traffic Encryption Keys and Initialization Vectors. Eor a complete listing of the 
MAC management messages and their Type codes, see the Appendix. 

According to section 7.1.1 of the IEEE 802.16-2001 standard, MAC Management 
messages are not to be encrypted. This decision was made to “facilitate registration, 
ranging and normal operation of the MAC sublayer” [2]. This is a key statement, as it 
makes the generation of false management messages possible. If all the MAC 
management messages were encrypted, once the BS and SS had exchanged traffic 
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encryption keys, these messages would be exceedingly difficult to spoof Also of note is 
that regardless of encryption settings, the MAC header is never encrypted. 
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Figure 5. Generic MAC Header Format. (From [3]). 


Name 

Length 

(bits) 

Descriptiou 

Cl 

1 

CRC Indicator 

1 = CRC IS appended to the PDU 

0 = No CRC is appended 

CID 

16 

Comiection Identifier 

EC 

1 

Encryption Control 

0 = Payload is not encrypted 

1 = Payload is encrypted 

EKS 

2 

Encryption Key Sequence 

The index of the Traffic Encryption Key and Initialization Vector used to encrypt the 
payload. This field is only meanmgful if the Encryption Control field is set to 1. 

HCS 

8 

Header Check Sequence 

An 8-bit field used to detect errors in the header. The generator polynomial is 
g{D)=D^-D--D+\. 

HT 

1 

Header Type. Shall be set to zero. 

LEN 

11 

Length 

The length in bytes of the MAC PDU including the MAC header. 

Type 

6 

This field indicates the payload type, includmg presence of subheaders 


Table 2. Generic MAC Header Fields. (From [3]). 


4, Ranging, Authentication and Establishing IP Connectivity 

As seen in Figure 6 from [2], subscriber stations go through a multi-step process 
to join a network. Once an SS has detected an active channel, it announces its presence 
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to the BS via a Range Request (RNG-REQ) message. Determining the range between the 
BS and SS is important beeause SS uplinks are timed so that their transmissions arrive in 
a precisely scheduled window to minimize dead air time spent waiting on an individual 
SS’s propagation delay. In a network with hundreds of SS, as might be seen in a 
residential wireless DSL-type deployment, the cumulative effect of these propagation 
delays would have a negative impact on network efficiency. 



Figure 6. SS Initialization Overview. (From [2]). 
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Transmitted during an Initial Maintenance time slot, the RNG-REQ also allows 
the SS to inform the BS of its preferred downlink burst profile. The BS, in turn, uses the 
Range Response (RNG-RSP) to adjust the SS transmission frequency, time and power. 
The BS also uses this message to inform the SS of its Basic and Primary Management 
CIDs. The SS and BS continue to exchange RNG-REQ and RNG-RSP messages using 
the newly assigned Basic CID, until the link has been fine tuned, and performance is 
acceptable to both parties. Once an acceptable radio link has been established, the SS 
informs the BS of the physical parameters and bandwidth allocation schemes it can 
support. 

The next step in the SS initialization process is requesting authorization to enter 
the network. Since theft of service is a large concern for commercial deployments, the 
IEEE 802.16 standard requires strong authentication of the SS. The procedures for 
authentication and key exchange are discussed in the Privacy Sublayer section that 
follows in this chapter. 

Upon completion of the authentication process, the SS is provisioned with a full 
set of authentication and traffic encryption keys. The SS is then assigned its Secondary 
Management CID, so that it may receive standards-based management messages for 
things such as such as Dynamic Host Configuration Protocol (DHCP). 

The remainder of the SS initialization process consists of establishing IP 
connectivity and network time of day, followed by transferring operational parameters 
and establishing transport connections. These are accomplished using well known 
standards such as DHCP, Trivial File Transfer Protocol (TFTP) and User Datagram 
Protocol (UDP). 


D, PRIVACY SUBLAYER 

The stated purpose of the Privacy Sublayer is to prevent eavesdropping on user 
data as it traverses the wireless link. With the exception of MAC management messages, 
all data traffic between the BS and SS is encrypted. However, the main focus of the 
Privacy Sublayer is on protecting service providers against theft of service, rather than 
protecting network users. Encrypting user data is simply a very desirable means to the 
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end of preventing theft of serviee. It is also important to note that the privaey layer only 
protects data at the Open System Interconnection (OSI) layer two level. It does not 
provide end-to-end encryption of user data as seen in Virtual Private Networks and layer 
seven solutions such as S/MIME and SSH. Nor does it provide protection of the physical 
signal as a low probability of intercept scheme would. Both physical and higher layer 
security technologies would need to be integrated to provide a highly secure, routable 
communications network. 

To manage the exchange and synchronization of encryption keys, IEEE 802.16’s 
Privacy Sublayer employs the Privacy Key Management (PKM) protocol from the 
DOCSIS BPI + specification that is commonly used for cable modems. 

The protocol employs several different keys when setting up privacy encryption. 
These are summarized in Table 3. During the initial startup and ranging procedure, the 
SS submits its X.509 Digital Certificate to the BS. The BS verifies the authenticity of the 
certificate. If the SS is authorized to join the network, the BS uses the SS’s Public Key to 
encrypt an Authorization Key (AK). The AK is used in several different ways. It is used 
to derive a Key Encryption Key (KEK). It is also used to derive Hashed Message 
Authentication Code (HMAC) keys that are used in the generation and verification of 
MAC management messages. Einally, the KEK is used to protect a Traffic Encryption 
Key (TEK) that is generated by the BS, and sent to the SS. The TEK is the key actually 
used to encrypt data traffic exchanged between the BS and SS. 

The standard ensures that an SS is always in possession of valid encryption keys. 
Eor both authentication and traffic encryption keys, SS are given two sets of keys with 
staggered lifetimes. The key changeover schemes used for AKs and TEKs are very 
similar and ensure an orderly transition between key material generations. 
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Key 

Generated by 

Used for 

Lifetime 

Algorithm 

Public/Private 
Key Pair 

Manufacturer 

- SS authentication 

- exchanging AK 

Permanent 

RSA 

Authentication 
Key (AK) 

BS 

- generating KEKs 

- Calculating HMAC 
digests 

- Verifying received 
HMAC digests 

I day to 70 days 

3-DES, 

SHA-1 

Key 

Encryption 

Key (KEK) 

BS, SS 

- encrypting TEK for 
transmission (BS) 
-decrypting TEK for 
use (SS) 

Same as AK 

3-DES 

Traffic 

Encryption 

Key (TEK) 

BS 

- encrypting data 
traffic 

30 minutes to 7 
days 

DES 

Table 3. Summary of Cryptographic Keys Associated 

[ with the Privacy Sublayer. 


E. PHYSICAL LAYER 

While an in-depth discussion of the OSI model physical layer of the IEEE 802.16 
standard is beyond the scope of this thesis, there are a few points that should be covered 
with regards to the physical layer. 

Eirst of all, to a great extent the methods employed in a DoS attack will depend on 
the frequency and modulation scheme employed by the target network. Eor example, an 
attacker’s ability to sniff traffic sent across a 50 GHz line-of-sight link will be much more 
dependent on the geographic arrangement of attacker and victim than would be the case 
in a 2.4 GHz area broadcast. 

Secondly, while the IEEE 802.16 standard was originally written to support a 
handful of physical medium interfaces, it would not be unreasonable to expect that the 
standard will continue to evolve and may be extended to support other PHY 
specifications. The modular nature of the standard is very helpful in this regard. Eor 
example, the very first version of the standard only supported single carrier modulation. 
Since that time. Orthogonal Erequency Division Multiplexing (OEDM) has been added. 
The standard has also been extended for use in new frequency bands. Beyond the world 
of international standards, it would likewise be possible for developers to adapt the IEEE 
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802.16 MAC layer to work with proprietary PHY meehanisms. For example, the 
standard would make an exeellent basis for military spread speetrum eommunieations 
systems. 


F. EXAMPLE NETWORKS 

For the purposes of illustration, this seetion will briefly deseribe real-world 
deployments of pre-802.16 networks. These are provided to give the reader a sense of 
the types of IEEE 802.16 deployments that may be seen in the future. Given the very 
flexible nature of the standard, there are bound to be many different types of 
deployments, from suburban DSE replacement networks to cellular backhaul point-to- 
point links. 

1. Houston County Study 

Houston (pronounced “house-ton”) County Georgia recently commissioned a 
wireless broadband study, conducted by Siemens [9]. The purpose of the study was to 
assess the feasibility of county-wide universal broadband access. The study examined 
the economic and technical issues that would need to be addressed to accomplish this 
goal, and also included some real-world testing using equipment from Alvarion, Inc. 
While the equipment was “pre-802.16,” it still adhered fairly closely to the published 
standard. The test network used Alvarion BreezeACCESS VE equipment, operating in 
an unlicensed frequency band at 5.8 GHz. The BS used a single 120 degree sector 
antenna, and SS used flat array antennas approximately 12” square. 

Despite the rural nature of Houston County, the study demonstrated the operation 
of a text-book Metropolitan Area Network. As shown in Eigure 7, the test network had a 
single Base Station serving five Subscriber Stations which were located from 3 to 12 
miles away. The SS were nominally serving wireless broadband to County office 
buildings, including the Courthouse and Police Training Center. The IEEE 802.16 links 
were simulating service to wired local area networks in a manner analogous to T1 class 
landlines. Despite challenging propagation conditions due to trees and elevation changes, 
the most distant SS was able to achieve end-to-end traffic rates of 4.6 MBits/sec in the 
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downlink and 2.9 MBits/sec in the uplink. These speeds were measured by a eommereial 
website that measures file transfer times. This test network was ereated to demonstrate 
the viability of a eounty-wide network with approximately 100 eommereial subseriber 
stations. 



Figure 7. Houston County Test Network. (After [9]). 

2, Verizon Avenue’s Suburban DSL Replacement Networks 

Another type of IEEE 802.16-based network that may beeome eommon are those 
that provide DSE and eable modem elass serviee to underserved suburban or rural areas. 
In several test markets, Verizon Avenue (a subsidiary of the eellular phone giant) has 
installed networks that serve hundreds of households. These generally have one or two 
antenna towers with several 120 degree seetor antennas, and serve residenees within just 
a few miles of the tower. Eaeh home is provided with a small directional antenna and an 
Ethernet interface box. In these test markets, customers receive 768 kbps (downlink) 
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service for approximately $30 per month [10]. This will probably be the first IEEE 
802.16 network that the public becomes familiar with. 
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III. EXAMINATION THE IEEE 802.16 STANDARD FOR KNOWN 
IEEE 802.11 DENIAL OF SERVICE VULNERABILITIES 


There has been a great deal of interest in exploiting IEEE 802.11 wireless LANs. 
Unfortunately, there has also been a great deal of suecess. Hackers, security consultants, 
government agencies and even college students have all identified and tested 
vulnerabilities inherent in the IEEE 802.11 standard. These vulnerabilities have included 
cryptographic weaknesses, network exploitations and denial of service attack 
vulnerabilities. In this chapter, DoS vulnerabilities in the IEEE 802.11 MAC layer are 
presented, with accompanying analysis of the IEEE 802.16 MAC for similar 
vulnerabilities. Information on the IEEE 802.11 standard is drawn from the standard 
itself [I I] as well as from published reports on vulnerabilities. 


A, INTRODUCTION TO IEEE 802.11 VULNERABILITES 

In their 2003 presentation to the Ilth USENIX Security Symposium, John 
Bellardo and Stefan Savage asserted that the IEEE 802.11 MAC layer is vulnerable to 
two broad classes of DoS attacks [12]. Bellardo and Savage proposed that the 
vulnerabilities in IEEE 802.11 were either “identity vulnerabilities” or “media-access 
control vulnerabilities.” These two categories quite neatly encapsulate the attacks 
presented in [12], as well as the attacks presented in other published research [13], [14], 
[15]. This thesis will also use these categories to describe vulnerabilities found within 
IEEE 802.16. Not considered in [12] are attacks at the PHY layer, such as military 
broadband jamming of the RE spectrum. While resistance to RE jamming is vitally 
important to military networks, attacks at the PHY layer are considered outside the scope 
of this thesis. 

1, Identity Vulnerabilities 

Identity vulnerabilities occur when control and information messages are not 
properly authenticated. According to Bellardo and Savage, IEEE 802.11 is particularly 
vulnerable to these types of attack because the standard implicitly trusts message source 
addresses [12]. The standard lacks a robust sender authentication mechanism at the MAC 
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level. For a reeeiving station without the ability to authentieate the true source of a 
message, any correctly formatted message from an appropriate source address will be 
perceived as genuine. As a result, attackers are able to abuse a variety of powerful MAC 
messages [14]. 

2. Media-Access Control Vulnerabilities 

While Bellardo and Savage do not explicitly define media-access vulnerabilities, 
they do provide two clear examples from which the definition might be inferred. The two 
exploits presented show how and attacker may take advantage of the mechanisms that are 
designed to fairly share the transmission medium. The first attack exploits IEEE 
802.11’s physical carrier sense mechanism by transmitting many short packets in rapid 
succession, causing all nodes within range to believe the medium is already in use. The 
victim nodes then listen patiently for their fair turn to communicate. As long as the 
attacker is transmitting, this turn never comes. In contrast, the virtual carrier sense attack 
sends relatively few packets. However, these packets use forged length fields within the 
packet to reserve a very long transmission period. During this period, fooled nodes don’t 
even use their physical carrier sense mechanism to check to see if the medium really is 
busy. Instead, they just count the microseconds until the reserved transmission period 
expires. 

B, DEAUTHENTICATION ATTACK 

1, IEEE 802.11 Background 

The deauthentication attack is a near-perfect exploitation of IEEE 802.11’s 
inherent identity vulnerability [12]. When a new node wishes to join an IEEE 802.11 
network, it must first go through an authentication and association process before it is 
allowed access to the rest of the network. Authentication may be either “open” (any node 
may join the network), or shared key (node must be in possession of the network 
password). Once authenticated, a node goes through an association process and then is 
finally allowed to exchange data across the full network. There are only a limited 
number of control, management and data frames allowed during the authentication and 
association process. One of these messages allows nodes to demand deauthentication 
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from each other, which is useful for switching between wireless networks that overlap 
geographically. A node in receipt of a deauthentication message will immediately 
remove itself from the network and return to its base state. 

In the deauthentication attack, a rogue node first determines the address of the 
Access Point (AP) that is controlling the wireless network [12]. Analogous to the BS in 
an IEEE 802.16 network, the Access Point is the bridge between the wired and wireless 
EANs. The address of the AP is easily determined, as it is not protected by cryptological 
means. The AP source address is used only to allow subscribers to determine which 
network to deauthenticate from; it is not a form of authentication. While some AP’s are 
configured so that they do not directly broadcast their presence, their address may still be 
found by listening to the transmissions of other nodes. 

Once the attacker has the AP address in hand, he uses the default broadcast 
address to transmit the deauthentication message to every station within reach. Believing 
the message to be the genuine article (and with no means to find otherwise), any station 
that receives the deauthentication message immediately stops communicating with the 
network. These newly deauthenticated nodes must now restart the authentication and 
association process from the very beginning. Repeated transmissions of deauthentication 
messages can bring network traffic to a complete standstill [12], [14]. No advanced 
cryptological techniques are required to mount the attack because none are employed. 

There are other messages within IEEE 802.11 that may be abused to cause this 
complete denial of service. The disassociation message may be constructed and 
employed in near identical fashion to the deauthentication message [12]. Known as the 
disassociation attack, this tactic is slightly less efficient from an attacker’s standpoint 
because more of the spoofed messages are required. Even though there are other 
messages which may be abused, for the sake of simplicity the term “deauthentication 
attack” will be used from this point forward when generically discussing attacks that 
exploit IEEE 802.11’s identity vulnerability at the MAC level. 

There are a few key properties of the deauthentication message that make the 
deauthentication attack possible. Most importantly, the deauthentication message itself is 
totally unauthenticated aside from a logical check of the message source address. 
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Second, the information needed to construct a valid message is not cryptographically 
protected and is in fact, quite easily determined. Also, the victim will respond to a 
correctly formatted deauthentication message regardless of when it is received. Hence, 
an attacker simply needs to generate a barrage of deauthentication messages and send 
them to the victim. To make matters worse, the attacker doesn’t even need to be 
authenticated or associated with the network in order to inject these messages [13]. 

2. Application to IEEE 802.16 

IEEE 802.16 contains several MAC messages that are analogous to the 
deauthentication message found in IEEE 802.11. The Reset Command (RES-CMD) 
message, is transmitted by a base station to direct a particular subscriber station to 
completely reset itself [2]. It is management message type 25, as shown in the Appendix. 
A subscriber in receipt of a valid RES-CMD will reinitialize its MAC and attempt to 
repeat initial system access. The message is intended to allow a BS reset unresponsive or 
malfunctioning SS. Similarly, a BS may transmit the De/Re-register Command (DREG- 
CMD) to an SS, thereby forcing the SS to change its access state. DREG-CMD is 
management message type 29, as shown in the Appendix. This command may be used 
for several purposes, including forcing an SS to completely leave the transmission 
channel. 

Eortunately, IEEE 802.16 incorporates substantial protection against the misuse of 
the RES-CMD and DREG-CMD commands. The primary mechanism is message 
authentication in the form of Hashed Message Authentication Code (HMAC) Digests, 
using the SHA-1 hash algorithm. As described in Internet Engineering Task Eorce 
Request for Comments 2104, an HMAC digest is a general purpose authentication code 
calculated using both the original message and a shared secret key [16]. In the case of 
IEEE 802.16, the specified algorithm generates a 160 bit value which is appended to the 
original message. Together, these three elements—message, shared secret key and 
HMAC digest—allow the receiver to verify that the author is legitimate and that the 
message was received in its original form. The receiver simply uses its own copy of the 
secret key to calculate an HMAC digest for the message and compares this result with the 
digest calculated by the sender. The two sets of calculated HMAC digest values will 

match only if the two parties are using the same key and same message. Since only the 
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legitimate sender and intended recipient share the secret key, a match guarantees that the 
message arrived from the legitimate sender unaltered. See Figure 8 for an overview of 
the attack. 



Figure 8. Failure of the Deauthentication Attack using RES-CMD. 

The authentication system described above rests on a few underlying 
assumptions. Most importantly, the keyed hash algorithm is assumed to be 
cryptographically strong. In simple terms, the algorithm used must not allow an attacker 
to guess or otherwise calculate correct hash values without exhaustively trying every 
possible key. Another underlying assumption is that the key used when calculating the 
HMAC digest is truly secret. This is an assumption that fails when referring to IEEE 
802.11. The Wired Equivalent Privacy (WEP) was famously discovered to employ a 
flawed encryption mechanism. Once the flaw was revealed, the privacy and 
authentication mechanisms in use were entirely compromised. Eortunately, IEEE 802.16 
employs different encryption standards. The standard currently allows the choice of 3- 
DES EDE with a 128-bit key or RSA with a 1024-bit key. Even if these well proven 
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algorithms were eompromised, the message authentieation vulnerability eould be repaired 
by ehanging erypto suites—this is an explieit feature of the standard. 

IEEE 802.16 is proteeted from the deauthentieation attaek beeause it employs 
strong authentieation of those key MAC messages, sueh as RES-CMD and DREG-CMD. 
It is important to note that not every MAC message is authenticated. The implications of 
this will be discussed in detail in a later chapter. 


C. REPLAY ATTACK 

1. IEEE 802.11 Background 

Generically speaking, a replay attack is one in which an attacker fraudulently 
reuses a piece of valid information that he has intercepted or overheard. The attacker 
does not need to modify the message, but merely repeats it at an opportune time. As 
applied to IEEE 802.16, an attacker might capture a message (along with its associated 
HMAC) and replay the message unaltered. This section will discuss the ways that IEEE 
802.16 will respond to this replayed message. 

As previously discussed, IEEE 802.16 employs Hashed Message Authentication 
Code (HMAC) digests to ensure the authenticity of received messages. While HMACs 
provide a receiver assurance that the message was received as sent, they are not absolute 
assurance that a message is being used as intended. The sender and the contents of the 
message are authenticated, but nothing else. A message that has been captured by an 
attacker then replayed later will still authenticate properly as long as the encryption keys 
haven’t changed in the interim. Since the message contents cannot be altered in any way, 
the replayed message is of only limited utility. However, there remain scenarios in which 
unaltered, rebroadcast messages can cause significant problems for the victim. Any 
consumer who has been billed twice for a single purchase will have a feel for this. 

When used against IEEE 802.11 networks, the replay attack can be useful as a 
DoS weapon. At the most basic of levels, any valid message will cause a DoS condition 
if it is repeated often enough. This is the brute force case. Since the message is valid, it 
consumes both bandwidth and computing time as the message is decoded and acted upon. 
IEEE 802.11 is vulnerable to this type of attack because messages aren’t serialized in any 
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fashion. There is no built-in method to detect and discard replayed messages. Moving 
beyond the brute force level, a replay attack can be effective at exploiting higher level 
functions in an IEEE 802.11 network. 


Of note for IEEE 802.16 is that the attacker might need both BS and SS 
capabilities to observe and replay his message, depending on the exact scenario 
presented. Depending on the network implementation, the attacker might even need to 
coordinate the operations of two separate units. Eor example, in a FDD system, BS and 
SS transmissions occur at different frequencies. A replay attack against this FDD system 
would require the attacker to receive information on one frequency then transmit it on 
that same frequency. If this is not possible with a single unit, the attacker would need to 
have both BS and SS operating in unison. This is a very different scenario than that seen 
in the Ethernet and Wi-Fi worlds where every node in the network has the same transmit 
and receive capability. 

2, Application to IEEE 802,16 

Since the presence of the HMAC digest requires that a message must be 
retransmitted unchanged, whether a particular message may be reused is dependent on 
the internal details of the message. Any transient information within the message, for 
example a timestamp or a transaction serial number, generally makes the message 
unsuitable for a replay attack. The transient information allows the receiver to detect the 
retransmission and ignore the duplicate copies of the message. 


booking once again at the Reset Command, it initially appears that the RES-CMD 
message could be effectively replayed by an attacker. The command itself contains no 
serial number, no timestamp and no transient information. See Table 4. Messages of this 
type seem very appropriate for replay. 


Management Message Type 

Message Parameters 

25 = RES-CMD 

HMAC Digest 


Table 4. 


Reset Command 


Armat. (After [2]). 


However, this is not the case. The IEEE 802.16 standard requires the HMAC to 
be calculated using the entire message, including the MAC header. See Figure 4. Since 
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the header is eovered by the HMAC digest, it too must be retransmitted unaltered, and 
this is where the replay attack falls apart. The header contains the Connection ID (CID) 
of the SS which must be reset. For this reason, the RES-CMD command is a one time 
use message. Once reset, the SS will resume operation under the new CID assigned by 
the BS. The CID is a 16-bit value, and the BS cycles sequentially through all 65,536 
choices of CID. This makes it very unlikely that the CID will be reused. Even if the SS 
were to resume operation using the same CID, it would negotiate a new set of keys with 
which to authenticate the message. A replay attack based on the RES-CMD fails on two 
different levels. Therefore, the RES-CMD command is useless to an attacker attempting 
to employ the replay attack. Eor similar reasons, a replayed DREG-CMD also fails to 
elicit action by the SS. 

In the case of the RES-CMD and DREG-CMDs, the replay attack fails to cause 
the actions desired by the attacker. However, IEEE 802.16 remain s somewhat vulnerable 
to interference from brute force replay denial of service attacks, because there is no 
mechanism in place to specifically detect and discard repeated packets. An attacker 
could repeat many messages (whether valid or not) in an attempt to interfere with the 
proper operation of the network. There are several ways in which the victim network 
might respond, depending on the exact content and timing of the replayed message. 

In the least damaging case, the attacker’s signal would act like a narrowband 
noise signal competing with legitimate broadcasts. While this would have a negative 
impact on network efficiency, dynamic EEC and modulation changes would be able to 
mitigate the impact of this attack. 

In a more damaging attack, the attacker would repeat copies of a single SS’s 
traffic to the BS in such a way as to cause the BS to send a RES-CMD to the SS whose 
traffic is being replayed. This is a worthy goal for an attacker, as the reset would cause 
the victim to stop all broadcasts and return to the initial registration cycle. However, 
whether or not this second effect will happen is open to conjecture. The standard only 
states that the RES-CMD may be used “if an SS is unresponsive to the BS or the BS 
detects continued abnormalities in the uplink transmission from the SS” [2]. The 
standard does not specify exactly what constitutes “continued abnormalities in the 
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uplink.” The exact set of conditions that result in a RES-CMD will be decided by the 
equipment manufacturers. The effect of this type of attack will be implementation 
specific. 


D, AP SPOOF 

1. IEEE 802.11 Background 

In an AP spoof, an attacker “steals” users from a legitimate network by setting up 
a rogue access point that is configured to mimic a nearby network. This is a classic man- 
in-the-middle attack, where an attacker places himself between two parties and 
manipulates the communications between them. This is an exceptionally powerful 
exploit, as the attacker can gain access to information that would normally be beyond his 
reach. When using his position as man-in-the-middle for denial of service, the attacker 
simply discards the victim’s traffic as it passes through his node. The position of man-in- 
the-middle can be very difficult to achieve in wired networks, requiring intimate access 
with the victim network. However, in a wireless network this position is much easier to 
achieve. One simply needs to set up an access point that is a more attractive choice for 
association than the legitimate AP. This so-called “rogue AP” can be configured to mimic 
the legitimate AP by copying the SSID, MAC address and even home page of the host 
network. 

The attacker can choose to wait for new users attempting to reach the legitimate 
AP, or use a denial of service attack to disrupt existing connections. Since IEEE 802.11 
devices select APs based on received signal strength, the attacker need only ensure that 
his AP has greater signal strength as seen by the victim. This may be accomplished most 
simply by positioning the rogue AP between the victim and the legitimate AP. Other 
methods include using directional antennas and RE amplifiers. 

The victim is fooled into thinking he is interacting with the legitimate network 
while his traffic is flowing into the rogue AP. There are utilities that automate this 
process, complete with web servers that capture unencrypted passwords as victims 
attempt to log on to bogus pages. Unless there are higher level firewalls or intrusion 
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detection systems in place, this attack gives the attacker all the credentials he needs to 
access the legitimate network. 

The vulnerability at the root of this attack is that IEEE 802.11 does not require 
strong two-way authentication between access points and users. Elnless add-on security 
devices are used, the credentials presented by an AP are easily forged. In fact, AP 
credentials which typically only consist of a unique station name, are much more easily 
forged than the credentials that must be presented by user terminals. The AP credentials 
are broadcast across the network, even when the option to “advertise” the presence of the 
AP is disabled. This allows an attacker to “sniff’ the AP’s credentials by observing a 
relatively trivial amount of network traffic. Contrast this to the subscriber’s WEP 
password that is used for authentication. While the Wired Equivalent Privacy key can be 
broken, an attacker must observe a very large volume of traffic and employ sophisticated 
(including some freely available) cryptographic tools. Prom an overall network security 
standpoint, employing only weakly authenticated access points is a very dangerous 
practice. When compared to the full range of exploits possible, using this vulnerability 
for a DoS attack is relatively benign. 

2. Application to IEEE 802.16 

This vulnerability also exists in IEEE 802.16. With the intent that commercial 
WiMAX networks would be used to provide high speed data services across a large 
geographic area, the IEEE 802.16 Working Group devoted a great deal of energy to 
preventing theft of service. As discussed in Chapter 2, every SS is required by the 
standard to incorporate an X.509 digital certificate to allow strong authentication of SS. 
However, there is no such requirement for BSs. In fact, the IEEE 802.16 makes no 
mention of BS authentication. Analogous to the IEEE 802.11 AP Spoof, this type of 
hijack could be called a BS Spoof 

It is worth noting that this is a hijack only at the PHY and MAC layers. Higher 
layer data streams (TCP connections, for example) would not be preserved and would 
need to be exploited by other means. There are applications designed for hijacking 
Internet browser sessions (most notably HostAP) that could be adapted for the purpose of 
spoofing real websites present on an IEEE 8021.6 network. In this case, user data could 
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be protected by application level encryption. Even though this is not a complete hijack, it 
can still be used as a potent DoS weapon. During a BS Spoof DoS attack, the radio li nks 
would show a good connection while the higher layer data went nowhere. 

For example, a review of the user documentation for two “pre-802.16” compliant 
systems reveals that manufacturers are providing BS authentication in much the same 
way as IEEE 802.11. It must be noted that both of these systems were developed prior to 
the IEEE 802.16-2004 standard being ratified and therefore do not benefit from the full 
range of privacy and authentication services afforded by the standard. The Alvarion 
BreezeACCESS VE 5.8 GHz uses an Extended Service Set ID (ESSID) and MAC 
address as the mechanism for BS authentication [17]. Base Stations are provided with 
both default and global ESSIDs, which are designed to assist in registering with new BS 
within the overall wireless network. MAC address filtering is an additional feature that is 
optionally enabled. These mechanisms are virtually identical to those employed by IEEE 
802.11. The RedLine AN-50 Point-to-Point System uses a different authentication 
method, employing only password-based encryption of the wireless link [18]. 


E, MAC ADDRESS SPOOFING 

The IEEE 802.16 standard requires that every SS have a 48-bit universal MAC 
address burned into its firmware [2]. This value is used as part of the initial ranging 
process and during the authentication process, allowing the BS and SS to verify each 
other’s identity. There are several issues with using a device’s hardware MAC address as 
a form of authentication. The drafters of the standard seem to be operating under the 
assumption that the MAC address of a SS or BS is immutable. This is not entirely the 
case. While the value that is encoded in the hardware cannot be changed, the value that 
is reported by the firmware is subject to change. There are numerous programs capable 
of changing the MAC address reported by network adapters within personal computers. 
These programs use features of the computer’s operating system (whether Windows or 
Einux) to modify the MAC address that is reported by the network adapter. Changing the 
MAC of a PC’s network adaptor is a trivial process that can be accomplished in just 
minutes. 
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In the IEEE 802.11 realm, for a period, it was thought that MAC address filtering 
at the access point could prevent unauthorized users from joining the wireless network. 
Even though MAC spoofing was well known, the reasoning went that the 48-bit MAC 
contains too many possible values to allow brute force guessing. Unfortunately, nearly as 
soon as the practice of MAC address filtering became widespread, there were hacker 
utilities released to circumvent this protection. The problem is that hackers didn’t need to 
guess authorized MAC addresses. The addresses were broadcast across the wireless 
network as required by the IEEE 802.11 standard. Therefore, the MAC addresses in use 
could easily be “sniffed” out of the airwaves. In IEEE 802.16, the very first message an 
SS sends to a BS (RNG-REQ) contains the SS’s MAC address. The response from the 
BS (RNG-RSP) also contains this value. Therefore, an attacker capable of listening to 
the IEEE 802.16 link in either uplink or downlink direction will be able to determine the 
MAC address of authorized SS. 

However, whether one can change the MAC address of an SS will depend on the 
architecture of the SS under scrutiny. The case of modifying the MAC address of a 
stand-alone unit is very different than the scenario presented by a network card resident 
in a PC. Currently, all available IEEE 802.16-based networking equipment is in the form 
of stand-alone units. This is about to change. One of the major contributors to the 
WiMAX Eorum, Intel Corporation, has publicly announced that it plans on selling IEEE 
802.16 compliant chipsets inside laptops [19]. This is analogous to the scenario with the 
Centrino chipset today. In this case, spoofing a MAC address will be just as trivial for 
IEEE 802.16 as it is today for IEEE 802.11. 

Eor a stand-alone unit, modifying the MAC of an SS MAC will require changes at 
the firmware level, which is difficult unless the capability is provided by the 
manufacturer. As an example, there are several brands of router that have the capability 
to change the MAC address written directly into the user accessible configuration utility. 
Eor example, some Einksys routers have a “MAC Addr. Clone” tab in their configuration 
utility [20]. In the future, there will most likely be manufacturers that allow a similar 
capability in their IEEE 802.16 equipment. There need be only one particular SS 
firmware version to compromise the entire premise of MAC address authentication. As 
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soon as would-be attackers discover the capability, they will purchase that SS, and 
download the correct firmware. 

In summary, MAC address filtering is helpful from a network management point 
of view, but is a flawed authentication method. It is for precisely this reason that, in 
addition to a MAC address, each SS is required to have an X.509 compliant digital 
certificate. 

F. ATTACKS ON PHYSICAL CARRIER SENSE 

Any wireless network will be vulnerable to radio frequency jamming. However, 
the degree of vulnerability will vary widely, depending on the physical layer interface. 
Parameters such as transmitter power, receiver sensitivity, RF frequency and bandwidth 
and antenna directivity all play important roles when examining the effectiveness of 
broadband noise jamming attacks. Though this type of jamming is a PHY layer attack, 
there are attacks that create a denial of service condition by generating “noise” at higher 
layers. A SYN flood is an example of this. There are also several analogous attacks that 
have been demonstrated to be very effective against IEEE 802.11. 

1. IEEE 802,11 Background 

The mechanism under attack is the Carrier Sense Multiple Access (CSMA) 
component of the IEEE 802.11 MAC layer. CSMA is the method used to share the 
wireless medium and ensure that data collisions do not occur over the airwaves. Each 
unit that desires to transmit must first listen to ensure that no other station is transmitting. 
If no carrier is present (indicating no transmissions underway) the station is free to 
transmit. IEEE 802.11 actually uses two carrier sense methods: physical carrier sense 
and virtual carrier sense. Both of these have been exploited to create denial of service 
attacks. Since virtual carrier sense has no analogue in IEEE 802.16, only physical carrier 
sense will be examined here. 

There are several ways to exploit the physical carrier sense protocol [12]. One 
just needs to make legitimate nodes in the network believe that there is another station 
transmitting. While this could be accomplished with specialized RE signal generators, 
the most rudimentary method is to have a rogue node simply transmit continuously. In 
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[13] this is accomplished by exploiting a management primitive that ean be used to plaee 
a network eard into a test mode where it continuously transmits a test pattern. Any node 
within range of the rogue node will eorreetly determine there is a transmission underway 
and defer its transmission. This attaek requires no speeialized equipment and 
aeeomplishes its jamming using only 23 mW from a eommodity wireless network 
interfaee eard. Contrast this with traditional jamming transmit power levels, whieh may 
need to be orders of magnitude higher to aehieve a full denial of serviee. Also, note that 
the physieal carrier attaek will only affeet the network that the attacker has synehronized 
with. Other networks in the area will be able to eontinue to operate. Again, eontrast this 
with pure RF jamming, where every system that eommunieated in the same 2.4 GHz 
speetrum of the target would be jammed, including cordless phones. 

This attaek is very effeetive beeause it bypasses all of the meehanisms designed to 
proteet the signal from outside interferenee. The Direct Sequence Spread Speetrum 
modulation, the Forward Error Correetion algorithms and the Cyelic Redundaney Checks 
are all rendered useless by an attacker exploiting the standard rather than merely using 
brute force noise. 

2, Application to IEEE 802.16 

Sinee IEEE 802.16 uses a nearly eontention free MAC, it does not use physieal 
earner sensing to control the permission to transmit. In fact, in the few eontention 
transmission windows that exist in a frame, eollision detection is practieed rather than 
eollision avoidance. Any request an SS makes in a eontention window that goes 
unaeknowledged is assumed to have eollided with another SS’s transmission. The 
request is then retransmitted in another randomly ehosen timeslot. 

However, there are lessons that can be learned from the physieal earrier sense 
attaek. The attaek works by exploiting the sharing meehanism that ensures fair and 
effieient use of the transmission speetrum. 

All subseriber stations (even those not yet authentieated on the network) reeeive 
the UE-MAP that sehedules the transmission time and modulation scheme for every SS 
seeking to uplink traffie. Therefore, an attaeker who desires to deny serviee to a 
partieular SS has all the information he needs to send malieious transmissions that will 
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collide with the legitimate uplink. Thus an attaeker ean target a single SS’s transmissions 
for denial of serviee, and he ean attack with minimal power beeause he ean elosely mimie 
the legitimate sender’s RF signals. 

In this seenario, an attaeker would synchronize with the target network and 
undergo the initial ranging proeess in order to fine tune his transmission timing and 
frequeney. This is neeessary in order to be able to transmit signals that ean truly eompete 
“in band” with the victim SS’s transmissions. If the attacker is not synehronized with the 
legitimate transmissions, he is eompeting as noise rather than as an intelligible signal and 
IEEE 802.16 has several meehanisms that are meant to eorrect for noise on the 
transmission ehannel. Onee the attaeker is synehronized with the target network and has 
reeeived a UE-MAP, he may seleet a target. Sinee the transmissions are alloeated by 
CID, the attaeker must target a set of eonneetions rather than an SS by name. The 
attaeker will not know preeisely whieh SS is being interfered with, and may in faet only 
be targeting a subset of the SS’s several connections. The final step is to simply transmit 
at the scheduled time, using the seheduled modulation seheme. The messages sent eould 
be eompletely forged, replayed or both. The attackers signal should then eollide with the 
legitimate transmission. Rather than being rejeeted by noise filters, the rogue 
transmission will be eompeting as an intelligent signal. Depending on the relative 
transmission power of the two eompeting SS, the signal deeoded by the BS will either be 
in a degraded state, or will be eompletely unintelligible. The effeet over a series of 
transmission windows will be to starve out the affeeted SS. It is also possible that the BS 
will order the SS to reset itself due to the ‘garbled’ transmissions reeeived by the BS. 

The high degree of seleetivity that is possible with this type of attaek has some 
side benefits, as well. Beeause the attaeker’s transmissions are brief and 
indistinguishable from legitimate transmissions, it may be very diffieult to pinpoint the 
attaeker. This is a deeided ehange from the broadband jamming seenario with its 
indiseriminate transmissions at relatively high power. Also, the ability to pare one SS 
from the network might be very useful when attempting to perform BS spoofing. 

Eor the attaeker, another benefit of this type of seleetive denial of serviee attaek is 
that the BS will provide helpful feedbaek on the progress of the attaek. As the vietim 
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SS’s transmissions are degraded, the BS will order the SS to shift to progressively more 
robust modulation and FEC sehemes. An attaeker that tracked the ordered modulation 
scheme would be able to observe the precise power level required to achieve the desired 
effect. This would be helpful if the attacker were trying to minimize his radiated power 
in order to remain undetected. 
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IV. IEEE 802.16 UNIQUE DENIAL OF SERVICE 
VULNERABILITIES 

A, MESSAGE INJECTION ISSUES 

Assuming an attacker is able to overeome PHY layer synchronization issues and 
break any physical layer bulk eneryption that might be present in a military system, there 
remain two issues that must be addressed before one ean mount the attacks described in 
this chapter. One must first be able to ereate and transmit the messages that will be used 
as the basis for the attack. Next, there is the issue of message timing, both in an intra¬ 
frame basis and in an operational state basis. 

1, Message Generation Issues 

In order to be able to inject messages into the wireless stream, one must first have 
the eapability to generate these messages in the first place. This is not as trivial an 
undertaking as it might first appear. While there are several methods that have been 
diseovered suitable for generating IEEE 802.11 messages, to date there have been no 
published reports on how to ereate arbitrary messages in IEEE 802.16. There are several 
reasons for this. However they all seem to return to one issue— the standard is new. 
Although truly IEEE 802.16 eompliant equipment is only months or years from the 
market place, as of this writing only pre-802.16 equipment is available. Therefore, 
hackers and seeurity experts have yet to experiment with the equipment. It took years 
before the test and undoeumented modes needed to generate arbitrary frames were 
discovered in IEEE 802.11 systems. Also, there has yet to emerge a significant market 
for diagnostic and test software. The attacks described in [14] were implemented using 
commereially available test equipment that was ereated for network testing. While it is 
assumed that similar equipment will emerge for diagnosing and testing IEEE 802.16 
networks, as of this writing, the author is unaware of any commereial produet that is 
suitable for generating and injecting IEEE 802.16 messages. 

In [12], the author deseribes how IEEE 802.11 management frames ean be 
generated using commodity hardware. Essentially, one exploits a debug port to overwrite 
the storage buffer of the network interface eard. This allows arbitrary frames to be 
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inserted just prior to transmission, whieh ensures that the message is sent without being 
“eorrected” by the error controls of the firmware. Figure 9 shows the “AUX Port” that 
was used to inject the bogus messages. 



Figure 9. Block Diagram Showing How the AUX Port is used to Circumvent 

Firmware. (From [12]). 

The IEEE 802.16 standard specifies exactly what messages may be passed though 
the Service Access Points (SAP) that link the layers of the protocol stack. Therefore, it 
should not be possible to tamper with the internals of the firmware and device memory. 
However, examination of the IEEE 802.11 protocol stack reveals that it was specified in 
much the same manner as IEEE 802.16. Comparing Eigures 2 and 10 shows that, at this 
level of abstraction, the two standards are very similar. The two standards share this 
layered protocol model with other IEEE 802-based EANs, including Ethernet. 

Whether it will be possible to access the internals of interface devices will be 
largely dependent on the types of hardware that becomes available in the future. It seems 
likely that developers will use similar implementation and testing methods when building 
new IEEE 802.16 systems. Based on past experience, it seems highly probable that 
eventually, a product will be released with debug-type access to the firmware. It is up to 
the device manufacturers to strive to avoid this type of mistake. Unfortunately, the 
process of translating abstract specification into practical implementation is a challenging 
one. 
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Figure 10. Protocol Layering in IEEE 802.11. (Erom [11]). 

Currently available 802.16-like equipment are wireless routers that stand 
physically alone. They are accessed via an Ethernet port, which makes firmware 
tampering difficult. However as previously noted, this is likely to change as Intel 
Corporation has publicly announced its plans to have WiMAX in laptops by 2006 [19]. 
IEEE 802.16 network interface cards will be subjected to the same types of abuse that 
their Wi-Ei predecessors have endured. 

2. Timing of Injected Messages 

The question that must be answered is this: when can an attacker inject a message 
so that the victim will receive and obey it? It appears that successfully injecting MAC 
messages into the stream of traffic flowing across an IEEE 802.16 wireless network will 
be a difficult task. There are several obstacles that must be overcome. Aside from the 
fact that the standard’s effective use of message authentication severely limits the types 
of messages that might be spoofed, the primary problem is one of timing. The attacker 
must find an open spot in the schedule, and then time his transmission accordingly. 
When transmitting from a rogue SS to the BS, the propagation delay is learned as part of 
the initial ranging process. However, when attempting to inject messages from a BS, the 
attacker doesn’t know how much propagation delay will be encountered. There are also 
synchronization issues that must be considered. The second major hurdle is that the 
IEEE 802.16 MAC is stateful. The MAC only accepts certain messages at certain times, 
and won’t act upon those presented incorrectly. In combination, these two obstacles will 
make attacks based on message injection difficult to realize. 
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IEEE 802.16 details several different transmission sehedules, whieh eorrespond to 
different PHY layer specifieations. While the PHY details vary widely, the MAC 
structure is fairly static across the different PHY specifications. Recall that there are two 
basic cases of transmission schedules: EDD and TDD. 

a. Frequency Division Duplexing (FDD) 

In EDD systems, the uplink and downlink channels are in separate 
frequencies, with the downlink transmitted in discrete bursts. Since the uplink and 
downlink must be scheduled to support half-duplex SS, there may be times when the 
uplink or downlink channels are unused, allowing the attacker to inject his messages. In 
the uplink direction, all transmissions are scheduled. However it is important to note that 
the downlink maps only specify when the BS will transition between different 
modulation and EEC and do not detail when traffic for any particular SS will be sent. 

This is both an opportunity and an obstacle for an attacker attempting to 
inject spoofed BS MAC messages. SSs listen to the entire downlink, scanning for 
messages addressed to them. Therefore, an attacker should be able to blanket broadcast 
his malicious message at the appropriate time and modulation. Because the attacker 
won’t know in advance when there will be gaps in the BS transmission, his will cause 
collisions with other downlink traffic which may or may not be desirable. In a lightly 
loaded network, the attacker might be able to wait for an empty portion of the downlink 
frame and then transmit. Conversely, in a heavily loaded network, the downlink may be 
continuous from frame to frame. See Eigure 11. 
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Figure 11. Message Injection Into a Gap in the FDD Bandwidth Allocation. (After 

[ 2 ]). 

b. Time Division Duplexing (TDD) 

In the time division duplex case, there are no gaps in the downlink. See 
Figure 12. The downlink subframe is completely filled by the BS’s transmissions. MAC 
frames may be filled with nulls to pad them out the required length, rather than allowing 
silent intervals within the downlink. Following the downlink there is a brief pause that 
ensures BS has time to switch from transmit mode to receive mode. This is the Tx/Rx 
Time Delay, which is followed immediately by the uplink. Following the uplink, there 
may be empty transmission slots if the network is lightly loaded. During these empty 
time slots the BS may transmit null messages at reduced power and SS are forbidden to 
transmit. There is another pause (the Rx/Tx Time Delay) before starting the next frame. 
The relative duration of the downlink and uplink subframes are adaptively determined 
from frame to frame. In the uplink direction, there are maintenance opportunities set 
aside to allow new SSs to join the network and also to allow current SSs to make 
bandwidth requests. With regards to timing issues alone, this is an excellent opportunity 
for an attacker to inject messages in the uplink direction. However, as will be discussed 
later, there are still issues of MAC statefulness to overcome. 
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Figure 12. Injecting a Message into a TDD frame. (Synthesized From [2] and [7]). 


B. THE MAC AS STATE MACHINE 

In addition to timing issues that deal with the exact microsecond of message 
arrival, there are timing issues concerning the exact state of the receiver’s MAC when the 
injected message arrives. The IEEE 802.16 MAC is specified as a state machine, with 
defined transitions from state to state. As a simple example, see Eigure 13, which shows 
the state transitions during dynamic service addition (DSA), deletion (DSD) and change 
(DSC). 


DSC 



Eigure 13. An Overview of the Dynamic Service Elow State Machine. (Erom [2]). 


Eor an attacker wishing to inject MAC messages into an SS’s downlink, this can 
be a significant obstacle. Aside from the timing issues previously discussed, the attacker 
must also be aware of the victim’s state, so that an appropriate message may be sent. Eor 
example, for a machine in the Null state above, receiving a spoofed dynamic service 
change (DSC) message would have no effect. The message would be discarded. 
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Here is a less trivial example of the manner in whieh an injeeted message would 
be disearded. During the initial startup proeess, an SS sends an Authorization Request 
(Auth Request). The BS determines whether or not the SS is authorized to join the 
network, and sends the appropriate response. If the SS’s eredentials are valid, the BS 
sends an Authorization Reply (Auth Reply) message that includes an authorization key 
and other information that allows the authentication process to move forward. If the BS 
chooses to reject the SS, it sends an Authorization Reject message. An SS that receives 
an Auth Reject message at this point will enter a wait state and try again to authenticate 
later. At first blush, the Auth Reject message would appear to be well suited to form the 
basis of a DoS attack. One could imagine the “Auth Reject attack,” where an attacker 
sends thousands of rejection messages into a victim network. After all, the message is 
not itself authenticated with an HMAC digest, and contains no unique serial number or 
other difficult to replicate field. It is simply an error code that represents the reason for 
rejecting the SS’s attempt to authenticate. 

Unfortunately for a would-be attacker, the message is only applicable for a very 
brief time during the authorization process. As shown in Figure 14, the Auth Reject 
message (shown highlighted) is only acted upon if the SS is in the Auth Wait state. An 
SS will only spend a short period in the Auth Wait state while awaiting BS authorization. 
At other times this message is discarded as non-applicable. For these reasons, the Auth 
Reject Attack is a failure. 


C. PROPOSED DENIAL OF SERVICE ATTACKS 

Close examination of the IEEE 802.16 MAC reveals that there are at least two 
potential vulnerabilities that bear further examination and experimentation. The first 
potential vulnerability lies in the RNG-RSP message that is sent by the BS to set and 
maintain the proper timing of the SS transmissions. The second potential vulnerability 
comes from the specification for the Auth Invalid message. 
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The Ranging Request (RNG-REQ) message is the very first message sent by an 
SS seeking to join a network. The message announees the SS’s presenee and is a request 
for transmission timing, power, frequeney and burst profile information. The message is 
also sent periodieally to allow for adjustments on the part of the SS. The BS responds to 
the SS request using a Ranging Response (RNG-RSP) message. The format of the 
message is shown in Table 5. 


Management Message Type 

Uplink Channel ID (8-bits) 

Message Contents 

5 = RNG-RSP 

ID of uplink channel on which BS 

received RNG-REQ 

Shown in table XY. 


Table 5. Format of the RNG-RSP Message. 

Early versions of the standard required an SS to make a RNG-REQ on a periodie 
basis. These requests would have been made during eontention-based windows used for 
station maintenanee. If an SS were unable to eomplete the periodie ranging proeess, it 
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would be excluded from the network and ordered to re-initialize its MAC. This created a 
dangerous DoS vulnerability. An attacker that could transmit enough interfering 
messages to fill all of the scheduled time for station maintenance would be able to 
prevent all SS from conducting periodic ranging, effectively shutting down the network. 

Fortunately, the IEEE 802.16a revision of the standard changed this situation. 
The standard was revised to allow the BS to use any received packet to form the basis of 
a ranging adjustment. This frees the SS from the requirement to periodically re-range in 
a contention-based time slot. It also allows for more timely correction of timing and 
frequency drift. 

Despite this change, the RNG-RSP message remains vulnerable to a potentially 
more serious type of exploitation. The problem is that the RNG-RSP message can do 
more than merely fine-tune SS transmission times. The BS can also use the RNG-RSP 
message to order the SS to change uplink and downlink channels, transmission power 
levels and even abort all transmissions and re-initialize its MAC. There are several 
reasons why the RNG-RSP message is vulnerable to exploitation: the message is not 
encrypted, it is not authenticated, and it is stateless. An SS will take the action directed 
by any validly formatted RNG-RSP that is addressed to it. Eor details of the encoded 
contents of the RNG-RSP message, refer to Table 6. According to the standard, the only 
required fields are the Timing Adjust, Power Eevel Adjust and Ranging Status. All other 
fields are optional. 

There are a variety of ways that the message may be misused. The most basic 
way to abuse the message is to spoof unsolicited RNG-RSP messages with the Ranging 
Status field set to a value of 2, which corresponds to “abort.” This attack is shown on the 
SS RNG-RSP flowchart, Eigure 15. To address the message to a specific SS, the attacker 
would need to sniff the channel IDs in use by the victim. A less effective, brute force 
method would be to simply cycle through all 65,536 possible CIDs. This is a very 
inefficient, but fairly effective way to interfere with all nodes within range of the 
attacker’s rogue transmitter. Also, since the standard specifies only that the CID be 
“arbitrarily chosen” it is possible that there will be implementations of the standard that 
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Name 

Type 
(1 byte) 

Length 

(bytes) 

Value 

Timing Adjust 

1 

4 

Tx timing offset adjustment (signed 32-bit). The time required 
to advance SS transmission so frames arrive at the expected 
time instance at the BS. Units are PHY specific. During 
periodic ranging, the range of the value of this parameter shall 
be limited to +/- 2 modulation symbols. 

Power Level 

Adjust 

2 

1 

Tx Power offset adjustment (signed 8-bit, 0.25 dB units) 

Specifies the relative change in transmission power level that 
the SS is to make in order that transmissions arrive at the BS at 
the desired power. 

Offset Frequency 
Adjust 

3 

4 

Tx frequency offset adjustment (signed 32-bit, Hz units) 

Specifies the relative change in transmission frequency that the 
SS is to make in order to better match the BS. (This is fine- 
frequency adjustment within a channel, not reassignment to a 
different channel.) 

Ranging Status 

4 

1 

Used to indicate whether uplink Messages are received within 
acceptable limits by BS. 

1 = continue, 2 = abort, 3 = success, 4 = rerange 

Downlink 

frequency 

override 

5 

4 

Center frequency, in kHz, of new downlink channel on which 
the SS is to redo initial ranging. 

If this TLV is used, the Ranging Status value shall be set to 2. 
Shall be used for licensed bands only. 

Uplink channel ID 
override 

6 

1 

Licensed bands: The identifier of the uplink channel with 
where the SS should redo initial ranging (not used with PHYs 
without channelized uplinks). 

License-exempt bands: The Channel Number where the SS 
should redo initial ranging. 

Downlink 
Operational Burst 
Profile 

7 

1 

This parameter is sent in response to the RNG-REQ Requested 
Downlink Burst Profile parameter. It contains the least robust 
DIUC that may be used by the BS for transmissions to the SS. 

SS MAC Address 

8 

6 

SS MAC Address in MAC-48 format 

Basic CID 

9 

2 

Basic CID assigned by BS at initial access. 

Primary 

Management CID 

11 

2 

Primary Management CID assigned by BS at initial access. 

PHY Specific 
Values 

12-16 


These were added by IEEE 802.16a to provide ODFMA and 
AAS support. 


Table 6. RNG-RSP Message Eneodings. (After [3], [4] and [5]). 


simply use sequential CIDs rather than truly arbitrary numbers. If the CIDs were not 
truly arbitrary, the attaeker would only need a single aetive CID to use as the start point 
for a mueh more effieient brute foree attaek. The advantage of these types of brute foree 
method is that an attaeker wouldn’t need to know mueh more than the operating ehannel 
of the network to be attaeked. 
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Figure 15. Flow of the RNG-RSP Attack. (After [7]). 


Another way that the RNG-RSP message might be used is to shift a victim node 
to a channel of the attacker’s choosing. The attacker would once again spoof the CID 
and message contents, however this time the message would be used to override the 
uplink and/or downlink channel(s) used by the SS. There are a couple of scenarios which 
might ensue. If the attacker has no BS operating at the specified channel, the SS will 
eventually find its way back to the proper channel, as it scans and discards unused 
frequencies. Depending on the number of channels available for use, this could take 
some time, as the SS must listen for a minimum of 2ms before moving onto the next 
channel (Note that frames are of .5ms, 1ms or 2ms duration). Alternately, an attacker 
could shift only the uplink, or only the downlink. This would certainly disrupt the proper 
operation of the SS, and might prove to be an effective DoS attack. 
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Shifting the victim SS to a channel of the attacker’s choosing would also work 
very well when used in conjunction with a BS Spoof as described in the previous chapter. 
This would seem an ideal way to push an SS off of a legitimate BS and onto an 
illegitimate one. 

2. The Auth Invalid Attack 

As previously discussed, the “Auth Reject Attack” is a failure. However, the 
authorization state machine is a very attractive target and bears further investigation. The 
authorization state machine is one part of the privacy key management (PKM) system 
used in IEEE 802.16. It uses two basic types of MAC management messages—requests 
and responses. Requests, in the form of the PKM-REQ message, are made by SS. PKM- 
RSP is the response message sent by the BS. Table 7 shows the structure of these 
messages. 


Management 

Message Code 

PKM Identifier 

PKM Attribntes 

Message Type 




9 = PKM-RSP 

Identifies type of 

Serial number of 

Varies from by type of message 

10 = PKM-REQ 

PKM message 

message 



Table 7. PKM Message Eormat. (After [2]). 


The Message Code is an 8-bit field that identifies the exact type of PKM message. 
Messages using invalid Codes are silently discarded. The complete list of PKM Codes 
and their meanings are listed in Table 8. The PKM Identifier is an 8-bit field that acts as 
a message serial number. The SS increments the identifier field each time it generates a 
new PKM-REQ. When the BS sends its PKM-RSP message, it includes the Identifier of 
the message it is responding to. The SS will discard response messages with Identifier 
fields that do not match a pending request. The PKM Attributes field varies by PKM 
message type. This field is used to provide amplifying information such as error codes, 
key lifetimes and display strings. Eor example, the Security Association Add message 
includes an Authorization Key sequence number and a series of SA Descriptors that 
specify the desired properties of the new security association. 
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Code 

PKM Message Type 

0-2 

Reserved 

3 

Security Association Add 

4 

Auth Request 

5 

Auth Reply 

6 

Auth Reject 

7 

Key Request 

8 

Key Reply 

9 

Key Reject 

10 

Auth Invalid 

11 

TEK Invalid 

12 

Authentication Info 

13-255 

Reserved 


Table 8. PKM Message Codes. (After [2]). 


There are four PKM messages of interest: Auth Reject, Key Reject, Auth Invalid 
and TEK Invalid. These are interesting because these messages have a negative impact 
on the authorization state of the SS. Therefore, these messages make good candidates for 
use in attacks similar to the IEEE 802.11 Deauthentication Attack, discussed in an earlier 
chapter. 

Three of these four messages can be quickly ruled out as possible candidates for 
use in a DoS attack. As discussed previously, the Auth Reject message requires the use 
of an HMAC digest to authenticate the message. If the HMAC digest sent by the attacker 
doesn’t equal that calculated by the SS, the message is discarded. Therefore an attacker 
would need to be able to calculate correct HMAC digest values based on the current AK 
of the SS. Barring an unanticipated compromise in the cryptographic suite in use, this is 
extremely unlikely. It is also only used in the Auth Wait state of the authorization state 
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machine—a state that the SS passes through quite quiekly. For these reasons the Auth 
Reject message is unsuitable for use in a DoS attaek. 

The Key Rejeet and TEK Invalid messages both require authentieation by HMAC 
digest. The attributes of the Key Rejeet message are shown in Table 9 for illustration. 
As diseussed above, this is a nearly insurmountable obstaele for an attaeker to overeome. 
There is a second reason that the Key Rejeet message is unsuitable for use in a DoS 
attaek. As required by the standard, the TEK Invalid message Identifier eode is set to 
zero. However, the Key Rejeet message needs to have a PKM Identifier eode that 
eorresponds to the number of an open request by the SS. While this is only an 8-bit 
number (255 ehoiees) this is another hurdle that must be overeome, either by brute foree 
or intelligent guessing. Eaeh guess would need a new HMAC ealeulation as well. 


Attribute 

Contents 

Key-Sequence-Niimber 

Authorization key sequence nmnber 

SAID 

Security Association ID 

EiToi-Code 

Enor code ideutilying reason for rejection of Key Request 

Display-String (optional) 

Display stiiiig contaming reason for Key Reject 

HMAC-Digest 

Keyed SHA message digest 


Table 9. Key Rejeet Message Attributes. (Erom [2]). 


A mueh better ehoiee of messages is the Auth Invalid message. As shown in 
Table 10, the Auth Rejeet message is not authentieated by HMAC digest. Therefore it 
would be easy to generate. Also, in stark eontrast to the Auth Rejeet message, the Auth 
Invalid message will be aeeepted at almost any time during the SS’s operation. While the 
SS is only in the Auth Wait state for a brief period, the vast majority of an SS’s 
operational time is spent in the Authorized state where the Auth Invalid message is 
meaningful. 
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Attribute 

Contents 

Enor-Code 

Enor code identifying reason for Authorization Invalid 

Display-String (optional) 

Display String describing failme condition 


Table 10. Auth Invalid Message Attributes. (From [2]). 


Even better for the attacker, the Auth Invalid error code includes a value that 
translates to a stateless rejection. This error code is sent unsolicited by the BS when an 
SS’s HMAC digests fail to verify properly. For the full range of choices for Auth 
Reject/Auth Invalid error codes, see Table 11. Notable is error code 0, which sends no 
additional failure information whatsoever. Ironically, according to paragraph 11.2.10 of 
[2], this code was included for “security reasons.” The final reason that the Auth Invalid 
message will most likely be accepted (and acted upon) is that this message does not 
employ the PKM Identifier serial number. The PKM Identifier for an Auth Invalid 
message is zero. Therefore, the SS will not reject the message on the basis of an invalid 
serial number because no serial number is expected. This is a consequence of the 
stateless nature of the message. 


Error Code 

Messages 

Description 

0 

All 

No mformation 

1 

Auth Reject. Auth Invalid 

Unauthorized SS 

2 

Auth Reject. Key Reject 

Unautliorized SAID 

3 

Auth Invalid 

Unsolicited 

4 

Auth Invahd. TEK hivahd 

Ins alid Key Sequence Number 

5 

Auth Invalid 

Message (Key Request) authentication failure 

6 

Auth Reject 

Permanent Authorization Failure 


Table 11. Auth Invalid Message Error-code Values. (From [3]). 


As shown in Figure 16, the Auth Invalid message causes a transition from the 
Authorized state to the Reauth Wait state. The SS remains in this wait state until 
otherwise directed by the SS. When the Reauth Wait timer expires, a Reauth Request is 
sent by the SS, requesting another chance to rejoin the network. The duration of the 


Reauth Wait timer is measured in seconds. 
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Figure 16. Authorization State Maehine Highlighting the Auth Invalid message. 

(After [3]). 


Another event that might oeeur while an SS Authorization State Maehine is in the 
Reauth Wait state is the reeeption of an Auth Reject Message indicating a permanent 
error. This message forces the SS to transition to the Silent state and cease all subscriber 
traffic. While in the Silent state, the SS will still respond to management messages sent 
by the BS. Recall that the Auth Reject message is not authenticated by an HMAC, serial 
number or other means making it vulnerable to spoofing. Also note that the Auth Reject 
message was previously discovered to have little value as a DoS weapon because the SS 
spent little of its lifetime in the state required for the message to be processed. However, 
in this instance, the attacker is able to force the SS into a state where the Auth Reject 
message will be processed. By manipulating the Authorization State Machine, an 
attacker is thus able to multiply the effectiveness of the Auth Invalid DoS. He need 
simply follow up the Auth Invalid message with a Permanent Auth Reject message. The 
victim SS is pushed into the Silent state, awaiting a reset of its MAC. 
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D, SUMMARY 

At this point, these proposed denial of service attacks are pure conjecture, based 
only upon academic analysis of the written standard. Actual experimental testing, 
whether real-world or simulation is required to test the validity of these reported 
vulnerabilities. The true test of these attacks will be dependent upon the silicon 
embodiment of the standard, rather than the paper document. 
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V. CONCLUSION AND RECOMMENDATIONS 


A. CONCLUSION 

The vulnerabilities examined in this thesis are currently only theoretical, based on 
a paper evaluation of a printed standard. It remains to been seen if the actual equipment 
that is built around the standard is truly vulnerable to the attacks described here. In turn, 
whether these vulnerabilities may be actually exploited by practical means will also 
depend on the hardware units that become available. Even if these vulnerabilities truly 
are present in the equipment sold, by most measures, exploiting them will be difficult. 

However, we cannot depend on this difficulty as an assumed form of protection. 
For example, cracking WEP is difficult. It took well educated and dedicated hackers to 
write the first program to exploit the wired equivalent privacy key stream re-use 
vulnerability. Now however, a hacker doesn’t even need to know what WEP stands for 
to be able to circumvent it. The programs that are used to exploit the vulnerability are 
freely available on the Internet. If there are vulnerabilities inherent in IEEE 802.16, they 
will be exploited. 

There is a window of opportunity to improve the security measures of the IEEE 
802.16 standard before WiMAX certified equipment has been built and sold by the 
millions. Changes need to be made before there are many “legacy” WiMAX branded 
systems in customer hands and while there is still time to ensure interoperability with the 
earliest equipment. 

The vulnerabilities inherent in IEEE 802.11 were only discovered after there were 
hundreds of thousands (if not millions) of units already in operation. Efforts to patch the 
newly discovered vulnerabilities were made piecemeal and well after the fact. As a 
result, the vast majority of Wi-Fi deployments remain at risk to denial of service attacks 
(and worse). The reputation of the standard has been damaged, and sales of Wi-Fi 
equipment have probably suffered somewhat. For IEEE 802.16, this situation can be 
avoided. 
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B, RECOMMENDATIONS 

There are several possible solutions to every vulnerability presented in this thesis, 
and eaeh of these could be the subject of another piece of research. However, there are a 
few potential solutions the author would like to present as a starting point for further 
development. 

1, Increase the Scope of the Privacy Sublayer 

Currently, MAC Management messages are not permitted to be encrypted. This 
should change. Encrypt or authenticate all MAC Management messages unless there is a 
compelling reason not to. This alone would thwart most of the attacks presented in this 
thesis. 

For most of the messages, the encryption required does not need to be able to 
withstand lengthy, offline attacks. The data contained within the MAC Management 
messages is only useful for a short period of time. Therefore, the encryption scheme 
employed does not need to use a particularly long encryption key. It just needs to be 
robust enough to delay an attacker by minutes, not years. Short keys can provide 
excellent protection if changed often enough. For example, any particular UF-MAP is 
only valuable to an attacker for a period of milliseconds before the assigned transmission 
windows will have passed. Just as there are Key Encryption Keys and Traffic Encryption 
Keys for use with algorithms of different strength (and by extension, different 
computational overhead), there could be a MAC Message Key that is even lighter in 
computational weight. 

There are two basic benefits of encrypting MAC Management messages. First, it 
prevents an attacker from being able to easily craft malicious messages. Remember, the 
RNG-RSP message with code “Abort” only needs an easily sniffed CID for a target. If 
the message is encrypted, an attacker needs a CID and a key. The privacy layer has 
already allowed for the secure exchange of keys, so the attacker is out of luck. Second, 
encrypting MAC Management messages denies an attacker the information he needs to 
be able to the craft malicious messages in the first place. For example, if an attacker is 
not able to determine the CID of an SS, he must brute-force guess it. 
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One could think of this method as enforcing the principle of least privilege at the 
MAC Layer. For example, a node just entering the network doesn’t need the privilege of 
knowing the entire UL-MAP. It just needs to know when it is allowed to transmit. So 
we could encrypt the portions of the UL-MAP that new nodes don’t need to know. 

2. Use the Statefulness of the MAC to Its Full Advantage 

There will remain messages that cannot be encrypted. For example, one may 
point out that the RNG-RSP message discussed above may be sent before keys have been 
exchanged. Therefore it cannot be encrypted or authenticated with an HMAC. However, 
this is not entirely true. The message cannot be encrypted or authenticated only when 
keys have not yet been exchanged. At all other times it can be authenticated. So we 
should authenticate it whenever possible. For an example of this, see Figure 17, which is 
an adaptation of the actual RNG-RSP flowchart as seen in Figure 15. Portions of the 
flowchart not germane to this discussion were omitted and changes are highlighted. 



Figure 17. Modified Section of RNG-RSP State Machine. (After [7]). 
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With this modified state maehine, the RNG-RSP attaek will not work against an 
SS that has been authentieated on the network beeause it is in possession of seeurely 
exchanged encryption keys. The only time an attacker would be able to effect the RNG- 
RSP attack on an SS would be in the brief time between initial network entry and 
authentication. 

A well written piece of computer code has error traps that deal with unexpected 
conditions. For example, well written code will include checks on the user input and 
reject numbers when characters are expected. This code would then warn the user of the 
error. Similarly, the MAC Layer should trap errors in its input. For example, a RNG- 
RSP with “Abort” as its code is by definition an unexpected state. It should be properly 
checked and an error code should be generated. This would inform the BS that the SS 
has received an Abort which may be of help diagnosing an attack. 

3, Require Strong Two Way Authentication 

One-way authentication is a poor method to prevent theft of service. If attackers 
are able to own the base station equipment, they are able to “own” an SS from a 
legitimate network. Hardware MAC addresses are insufficient protection. This has been 
a lesson painfully learned with IEEE 802.11. There are a variety of schemes suggested to 
provide strong two-way authentication, including IEEE 802. IX. Eurther research will 
show which method is best. Even though higher layer encryption (if used) will protect 
user data, BS spoofing still translates to an effective DoS attack. 

4. “Band-aid” Fixes 

Einally, there are a few specific fixes. These are rather disparagingly known as 
“band-aids” as they only address the superficial wound, not the underlying cause. In this 
case however, when the above measures have been taken, it is appropriate to repair minor 
flaws with minor fixes. 

The Auth Invalid message that tells the Authorization state machine (Eigure 16) to 
move to the Auth Wait state should be authenticated using an HMAC derived with a 
valid key. Since the TEK is suspect, one could use the KEK to perform the keyed hash 
that generates the HMAC. One could even use the SS’s public key to encrypt this 
message. 
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5. 


Recommendations for Military Use 


In the author’s opinion, the standard is an excellent starting point for the basis of a 
military tactical network. Given that the above recommendations have been applied, 
there would remain changes required to create a military wireless network. Because of 
the unique military environment and requirement for very high availability, DoD should 
adopt an appropriately robust spread spectrum physical layer to improve conventional 
jamming resistance. Second, DoD should continue to use higher layer encryption to 
protect end-to-end transmissions. 

6, Use the WiMAX Forum to Enforce More Than Interoperahility 

The WiMAX Forum is the body that verifies compliance with the IEEE 802.16 
standard, and awards the WiMAX “seal of approval” to equipment that passes testing. 
However, all of the equipment that has caused problems in the IEEE 802.11 realm passed 
their Wi-Ei certification too. The problem is that bare compliance with the words of the 
standard is not enough. It is not enough to be interoperable. The equipment 
manufacturers have a responsibility to the rest of the consortium to ensure that their 
equipment meets the standard and meets security best practices. A set of equipment can 
meet the standard perfectly, but if it also includes a “bonus” test message that can be used 
as a very effective DoS weapon, the equipment should not pass certification. If an 
attacker cannot generate bogus messages, he certainly cannot transmit them. I 
recommend that the WiMAX forum require a thorough security examination of 
equipment that will bear its logo. 


C. SUGGESTIONS FOR FURTHER RESEARCH 

This thesis is just an early look at a brand new standard. The opportunities for 
research are many. Aside from studying solutions to the specific issues addressed in this 
paper, there are entire fields of research that may be applied to investigate the IEEE 
802.16 standard. Radio frequency propagation studies could investigate the extended 
range capabilities of the standard. Network managers will have a variety or questions 
that must be answered. There are issues of network co-existence that can be addressed. 


Specifically, there are a few topics the author would like to suggest: 
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Test the proposed attacks either using pre-release equipment or network 
simulation software. Ideally, this research would be conducted using direct input from 
equipment developers. 

Test the IEEE 802.16 MAC Eayer with physical layers that will be useful for 
military application, including HE and DSSS signals. 

Measure commercial equipment’s resistance to conventional jamming techniques 
in order to improve the knowledge base for future offensive military actions. The 
equipment will be especially popular in countries that lack wired broadband 
infrastructure. 

Conduct field testing in tactical environments to develop practical military 
applications for equipment based on the IEEE 802.16 standard. In their Naval 
Postgraduate School thesis [6], Munoz and Guice conducted preliminary tactical testing, 
but there is much more that can be done in this area. As important as developing 
equipment is the task of developing doctrine for the employment of tactically deployed 
broadband networks. 
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APPENDIX. IEEE 802.16 MAC MANAGEMENT MESSAGES 


This appendix was derived from Table 13 in [2], [7] and [8]. It is a list of all the 
IEEE 802.16 MAC Management Messages, plus Sender, Conneetion and Authentication 
information. 
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Type 

Message 

Name 

Message Description 

Sent By 

Connection 

Authentication 

0 

UCD 

Uplink Channel Descriptor 

BS 

Broadcast 

None 

■ 

DCD 

Downlink Channel Descriptor 

BS 

Broadcast 

None 

2 

DL-MAP 

Downlink Access Definition 

BS 

Broadcast 

None 

3 

UL-MAP 

Uplink Access Definition 

BS 

Broadcast 

None 

■ 

RNG-REQ 

Ranging Request 

SS 

Initial Ranging or Basic 

None 

5 

RNG-RSP 

Ranging Response 

BS 

Initial Ranging or Basic 

None 

6 

REG-REQ 

Registration Request 

SS 

Primary Management 

SS X.509 Cert 

7 

REG-RSP 

Registration Response 

BS 

Primary Management 

SS Pub Key 


8 reserved 

9 PKM-REQ Privacy Key Management Request SS Primary Management Varies 

10 PKM-RSP Privacy Key Management Response BS Primary Management Varies 


11 

DSA-REQ 

Dynamic Service Addition Request 

BSorSS 

Primary Management 

HMAC 


12 DSA-RSP Dynamic Service Addition Response BSorSS Primary Management HMAC 


13 

DSA-ACK 

Dynamic Service Addition 
Acknowledge 

BSorSS 

Primary Management 

HMAC 


14 

DSC-REQ 

Dynamic Service Change Request 

BSorSS 

Primary Management 

HMAC 


15 DSC-RSP Dynamic Service Change Response BSorSS Primary Management HMAC 

16 DSC-ACK Dynamic Service Change BSorSS Primary Management HMAC 

Acknowledge 

17 DSD-REQ Dynamic Service Deletion Request BSorSS Primary Management HMAC 

18 DSD-RSP Dynamic Service Deletion Response BSorSS Primary Management HMAC 

19, reserved for 

20 future use 

21 MCA-REQ Multicast Assignment Request BS Primary Management None (Message 

does includes a 
unique 

Transaction ID) 

22 MCA-RSP Multicast Assignment Response SS Primary Management None (Message 

does includes a 
unique 

Transaction ID) 

23 DBPC-REQ Downlink Burst Profile Change SS Basic None 

Request 

24 DBPC-RSP Downlink Burst Profile Change BS Basic None 

Response 
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Type 

Message 

Name 

Message Description 

Sent By 

Connection 

Authentication 

25 

RES-CMD 

Reset Command 

BS 

Basic 

HMAC 

26 

SBC-REQ 

SS Basic Capability Request 

SS 

Basic 

None 

27 

SBC-RSP 

SS Basic Capability Response 

BS 

Basic 

None 

28 

CLK-CMP 

SS network clock comparison 

BS 

Broadcast 

None (Message 
has sequence 
number) 

29 

DREG-CMD 

De/Re-register Command 

BS 

Basic 

HMAC 

30 

DSX-RVD 

DSx Received Message 

BS 

Primary Management 

Indirectly from 
authenticaton of 
DSx-REQ 
message 

31 

TFTP-CPLT 

Config File TFTP Complete Message 

SS 

Primary Management 

HMAC 

32 

TFTP-RSP 

Config File TFTP Complete 

Response 

BS 

Primary Management 

None 

33 

ARQ-Feedback 

Standalone ARQ Feedback 

BS or SS 

Basic 

None 

34 

ARQ-Discard 

ARQ Discard message 

BS or SS 

Basic 

None 

35 

ARQ-Reset 

ARQ Reset message 

BS or SS 

Basic 

None 

36 

REP-REQ 

Channel measurement Report 

Request 

BS 

Basic 

None 

37 

REP-RSP 

Channel measurement Report 

Response 

SS 

Basic 

None 

38 

Reserved 





39 

MSH-NCFG 

Mesh Network Configuration 

BS or SS 

Broadcast 

Varies (Reject 
message is not 
authenticated) 

40 

MSH-NENT 

Mesh Network Entry 

SS 

Basic 

HMAC 

41 

MSH-DSCH 

Mesh Distributed Schedule 

SS 

Broadcast 

None 

42 

MSH-CSCH 

Mesh Centralized Schedule 

BS 

Broadcast 

None 

43 

MSH-CSCF 

Mesh Centralized Schedule 
Configuration 

BS 

Broadcast 

None 

44 

AAS-FBCK- 

REQ 

AAS Feedback Request 

SS 

Basic 

None (uses 
Request serial 
numbers) 

45 

AAS-FBCK- 

RSP 

AAS Feedback Response 

BS 

Basic 

None (uses 
Request serial 
numbers) 

46- 

255 

Reserved 






Table 12. MAC Management Messages. (After [3], [4], [5]). 
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